diff mbox series

[01/16] fwhosts.cgi Fix for bug 13876 & bug 13877

Message ID	20250925111252.11893-1-adolf.belka@ipfire.org
State	Staged
Commit	47e9f8470ad5f8c134ad36e125bd7d6d78b61b7f
Headers	From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Cc: Adolf Belka <adolf.belka@ipfire.org> Subject: [PATCH 01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 Date: Thu, 25 Sep 2025 13:12:37 +0200 Message-ID: <20250925111252.11893-1-adolf.belka@ipfire.org> Precedence: list Sender: <development@lists.ipfire.org> Mail-Followup-To: <development@lists.ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 \| [01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 [02/16] ids.cgi: Fixes bug 13878 [03/16] ovpnclients.dat: Fixes bug 13879 [04/16] header.pl: Fixes bug 13880 [05/16] firewalllogip.dat: Fixes bug 13881 [06/16] firewalllogcountry.dat: Fixes bug 13882 [07/16] time.cgi: Fixes bug 13883 [08/16] ddns.cgi: Fixes bug 13884 [09/16] qos.cgi: Fixes bug 13885 [10/16] calamaris.dat: Fixes bug 13886 [11/16] urlfilter.cgi: Fixes bugs 13887, 13888 & 13889 [12/16] config.dat: Fixes bug 13890 [13/16] mail.cgi: Fixes bug 13891 [14/16] dns.cgi: Fixes bug 13892 [15/16] proxy.cgi: Fixes bug 13893 [16/16] proxy.cgi: Further fix for bug 13893

Commit Message

Adolf Belka 25 Sep 2025, 11:12 a.m. UTC

Fixes: Bug 13876 savelocationgrp COUNTRY_CODE Stored Cross-Site Scripting
Fixes: Bug 13877 saveservice PROT Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/fwhosts.cgi | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Comments

Bernhard Bitsch 25 Sep 2025, 12:47 p.m. UTC | #1

Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>

Am 25.09.2025 um 13:12 schrieb Adolf Belka:
> Fixes: Bug 13876 savelocationgrp COUNTRY_CODE Stored Cross-Site Scripting
> Fixes: Bug 13877 saveservice PROT Stored Cross-Site Scripting
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
>   html/cgi-bin/fwhosts.cgi | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
> index 953f81e5f..a666969b0 100644
> --- a/html/cgi-bin/fwhosts.cgi
> +++ b/html/cgi-bin/fwhosts.cgi
> @@ -2,7 +2,7 @@
>   ###############################################################################
>   #                                                                             #
>   # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org>                        #
> +# Copyright (C) 2013-2025  IPFire Team  <info@ipfire.org>                     #
>   #                                                                             #
>   # This program is free software: you can redistribute it and/or modify        #
>   # it under the terms of the GNU General Public License as published by        #
> @@ -714,7 +714,7 @@ if ($fwhostsettings{'ACTION'} eq 'savelocationgrp')
>   	}
>   
>   	if ($fwhostsettings{'update'} eq 'on'){
> -		@target=$fwhostsettings{'COUNTRY_CODE'};
> +		@target=&Header::escape($fwhostsettings{'COUNTRY_CODE'});
>   		$type='Location Group';
>   
>   		#check if host/net exists in grp
> @@ -796,7 +796,7 @@ if ($fwhostsettings{'ACTION'} eq 'saveservice')
>   		foreach my $i (0 .. 4) { $customservice{$key}[$i] = "";}
>   		$customservice{$key}[0] = $fwhostsettings{'SRV_NAME'};
>   		$customservice{$key}[1] = $fwhostsettings{'SRV_PORT'};
> -		$customservice{$key}[2] = $fwhostsettings{'PROT'};
> +		$customservice{$key}[2] = &Header::escape($fwhostsettings{'PROT'});
>   		$customservice{$key}[3] = $ICMP;
>   		&General::writehasharray("$configsrv", \%customservice );
>   		#reset fields

diff mbox series

Patch

diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
index 953f81e5f..a666969b0 100644
--- a/html/cgi-bin/fwhosts.cgi
+++ b/html/cgi-bin/fwhosts.cgi
@@ -2,7 +2,7 @@ 
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org>                        #
+# Copyright (C) 2013-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -714,7 +714,7 @@  if ($fwhostsettings{'ACTION'} eq 'savelocationgrp')
 	}
 
 	if ($fwhostsettings{'update'} eq 'on'){
-		@target=$fwhostsettings{'COUNTRY_CODE'};
+		@target=&Header::escape($fwhostsettings{'COUNTRY_CODE'});
 		$type='Location Group';
 
 		#check if host/net exists in grp
@@ -796,7 +796,7 @@  if ($fwhostsettings{'ACTION'} eq 'saveservice')
 		foreach my $i (0 .. 4) { $customservice{$key}[$i] = "";}
 		$customservice{$key}[0] = $fwhostsettings{'SRV_NAME'};
 		$customservice{$key}[1] = $fwhostsettings{'SRV_PORT'};
-		$customservice{$key}[2] = $fwhostsettings{'PROT'};
+		$customservice{$key}[2] = &Header::escape($fwhostsettings{'PROT'});
 		$customservice{$key}[3] = $ICMP;
 		&General::writehasharray("$configsrv", \%customservice );
 		#reset fields